AWS Certified Security – Specialty — Question 478

A web application gives users the ability to log in, verify their membership’s validity, and browse artifacts that are stored in an Amazon S3 bucket. When a user attempts to download an object, the application must verify the permission to access the object and allow the user to download the object from a custom domain name such as example.com.

What is the MOST secure way for a security engineer to implement this functionality?

Answer options

• A. Configure read-only access to the object by using a bucket ACL. Remove the access after a set time has elapsed.
• B. Implement an IAM policy to give the user read access to the S3 bucket.
• C. Create an S3 presigned URL. Provide the S3 presigned URL to the user through the application.
• D. Create an Amazon CloudFront signed URL. Provide the CloudFront signed URL to the user through the application.

Correct answer: D

Explanation

Amazon CloudFront signed URLs are the best choice because they allow secure, temporary access to private content while natively supporting custom domain names (CNAMEs) like example.com. S3 presigned URLs do not support custom domains as seamlessly as CloudFront, and managing bucket ACLs or IAM policies for individual user downloads is insecure, inefficient, and difficult to scale.